Monday, September 26 2005 @ 11:00 PM CEST

Welcome to next Armadillo tutorial! This tutorial is just second part of first one and heavily relies on it.

1. Requirements

- Windows XP
- Target
- OllyDbg 1.10
- ImpREC
- LordPE

Ofcourse, you must know how to use those tools. I will not explain how to set memory breakpoint on access,or hardware, or what window you need to open to find that what I'm talking about. It's pretty exousting to write in that way and if you wan't to deal with protectors you must already know all that.

You know how to reach OEP from first tutorial: use bp on OutputDebugStringA to kill Olly exploit, place bp on CreateThread to find CAL ECX that will throw you at OEP. Fix PE header by copy-paste bytes from another instance of target and dump file. You found OEP to be here:

We will fix imports in the same way as we did in first tutorial, we will change magic jump from JNZ to JMP so it will never redirect imports. But there is two small problems - encryption and CRC. I hope that you didn't close olly after dumping. If you have, then again find OEP. Check that missing import:

Remember address of that redirected import -> 004042C. Now restart target in olly and get to OutputDebugStringA check. After you have fixed that check go to dump window and find this address. It will be empty but you place hardware bp on write on DWORD there (on first 4 bytes - zeroes) and press F9. You will stop first here (after nag window):

This code should be familiar to you from first tutorial. The most important part is our jump at 00ACCA6B. That address could be different on your computer, write it down. Now restart target in olly again and again get to the OutputDebugStringA. Fix it and then in CPU window go to 00ACCA6B expression (our jump):

Instead of our jump, you will see some junk code as above. That is because in standard protection Armadillo dll is encrypted and decrypted on the fly. But we can easily solve this problem; on address 00ACCA6B where our jump should be, place hardware breakpoint on execution and just run olly. After nag window, code will decrypt and olly will stop on your breakpoint:

Remove breakpoint and change JNZ to JMP and just run our target (F9). Soon target will just crush on some exception. Problem is that encrypt/decrypt process depends on some integrity check and since we have changed some bytes, file has become useless. But don't panic, this is not problem at all. Our file is crushed, but import section .rdata contains valid thunks. So binary copy whole .rdata section and open another instance of olly. Open target in that olly and find OEP without messing with imports problem. When you reach OEP there, just binary paste data from clipboard to .rdata section. You can close first olly now. Open ImpREC now and attach to our target, find imports, cut all invalid ones and repair dumped file. That's it! Run it and it will work fine ;)

That was not hard. You can use LordPE to reduce file size like in the first tutorial.

4. Final words

That was all for this time. In next tutorial I hope that I will show how to defeat armadill splicing code feature.

As usuall, grets goes to all folks on BIW reversing. See you next time.